On February 21, 2025, $1.5 billion disappeared from Bybit in minutes. More than a year later, only 3% has been frozen. The rest is still moving.

This is not a post-mortem. This is a live fund flow analysis — showing exactly how the stolen funds moved, where they went, and what blockchain forensics tools can (and cannot) tell you about Lazarus Group's laundering operation.

What Actually Happened: The Attack Vector

The Bybit hack was not a smart contract exploit. It was a supply chain attack targeting the signing interface.

Here is the technical chain of events:

Two days before the attack, hackers compromised Safe{Wallet}'s AWS S3 bucket and injected malicious JavaScript into the platform's frontend. The code was dormant, waiting.

On February 21, Bybit employees initiated a routine cold-to-hot wallet transfer. The UI displayed a legitimate transaction. Behind the scenes, the injected code was doing something else: it overwrote the proxy contract's implementation address (stored in slot zero of the Gnosis multisig) with an attacker-controlled contract.

The signers approved what they thought was a normal transfer. What they actually signed gave the attacker full control of the cold wallet.

The attacker contract contained two functions:

• sweepERC20(address token, address to) — drain ERC-20 tokens
• sweepETH(address receiver) — drain ETH

Within minutes, 401,000 ETH was gone.

The Fund Flow: Address by Address

This is where blockchain forensics becomes critical — and where ChainHint's tracing pipeline makes the invisible visible.

Stage 1: Consolidation

All stolen assets initially landed at the primary exploit address 0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e. This is the address we use as ChainHint's test case — it's one of the most documented malicious addresses in Ethereum history.

From there, assets moved to 0x4766...e2, where stETH and mETH were converted to ETH via decentralized exchanges. This step was critical: stETH and mETH are less liquid and harder to move at scale. Converting to ETH increased mobility.

Stage 2: Fragmentation

Rather than moving $1.5B as a single transaction, the attacker distributed funds in 10,000 ETH increments across 48 separate addresses. One of the primary distribution hubs, 0xdd90...f92, received 98,048 ETH before sending 90,000 ETH onward to further wallets.

This fragmentation strategy serves a specific purpose: it overwhelms manual analysis. Tracking 48 wallets simultaneously requires automated tooling. Without it, investigators lose the thread within the first two hops.

Stage 3: Chain Bridging

By March 20, 2025, Bybit CEO Ben Zhou confirmed that 86.29% of the stolen ETH had been converted to BTC. This cross-chain move is the most dangerous moment in any laundering operation — it breaks the on-chain trail between networks and requires investigators to maintain context across both chains simultaneously.

The bridging happened through multiple decentralized exchanges and cross-chain bridges, deliberately avoiding centralized infrastructure that could freeze funds.

Stage 4: Obfuscation

After cross-chain conversion, Lazarus Group deployed their standard playbook:

• BTC and ETH mixers to break transaction links
• Peer-to-peer (P2P) vendor networks to convert to fiat
• Money laundering-as-a-service via organized crime syndicates

As of March 2026, approximately \(400 million has been traced through laundering channels. The remaining \)1.1 billion remains in active wallet clusters under ongoing monitoring.

Tracing This in ChainHint

We ran the Bybit exploiter address through ChainHint's fund flow graph. Here is what the visualization surfaces immediately:

The root node 0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e shows a Sanctioned status badge — it appears on the OFAC SDN list. Entity labels identify it as "Bybit Exploiter" across our 44M+ address database.

The outbound edges fan out across 48 child nodes within the first two hops, each tagged with the 10,000 ETH amounts. Entity resolution flags several of these as Lazarus Group-associated wallets based on cross-referencing against Arkham Intelligence data.

At hop 3, cross-chain bridge contracts appear — Chainflip, THORChain nodes — marking the transition point where ETH flows leave Ethereum and the trail splits into BTC.

The OFAC badge on the root node triggers automatically. Any funds that touched 0xa4b2...449e carry sanctions risk for downstream recipients.

Why Only 3% Was Frozen

The math is simple and brutal.

The optimal windows to freeze funds are three: when converted to BTC, when converted to a stablecoin, and when deposited at a centralized exchange. Each window is measured in hours.

By the time blockchain analysts mapped the full fund flow, coordinated with exchanges in multiple jurisdictions, and submitted freeze requests — the funds had already moved past the first two windows for most of the $1.5B.

The $42 million that was frozen came from the first hours of the investigation, when Elliptic and ZachXBT identified initial deposit addresses at centralized exchanges before those exchanges processed the deposits.

The lesson: forensic response speed is measured in minutes, not days.

What Chainalysis-Level Tools Cost vs. What You Actually Need

Bybit had access to Chainalysis, Elliptic, and TRM Labs — three enterprise platforms with pricing that starts at $25,000/year and scales into six figures.

For individual victims, security researchers, and small forensic firms, these tools are inaccessible. The result: when someone loses $50,000 to a drainer or a compromised wallet, they have no way to trace where the funds went.

ChainHint was built to close this gap. The same fund flow tracing that ran on Bybit's exploiter address — multi-hop BFS traversal, entity resolution against 44M+ labeled addresses, OFAC sanctions checking, cross-chain context — runs on any address for $79/month.

Enterprise forensics. Indie price.

The Bybit Hack in Numbers (March 2026)

• Stolen: $1.5B (401,000 ETH)
• Frozen: ~$42M (3% of total)
• Converted to BTC: 86.29%
• Currently tracked: ~$1.1B in active wallet clusters
• Bounty paid out: $4M+
• Lazarus Group attribution: FBI confirmed (Feb 26, 2025)
• Recovery outlook: Low — Lazarus has held funds for years before laundering

Try It Yourself

The Bybit exploiter address is public. The fund flow is on-chain. Anyone can trace it.

Start with 0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e on ChainHint — free tier gives you three hops. You'll see exactly how $1.5B begins its journey through the blockchain.

If you are investigating your own incident, the same pipeline works. Paste your address, set your hop depth, and let the graph tell the story the blockchain already recorded.

ChainHint is a blockchain forensics platform for incident response. 44M+ labeled addresses. 11 chains. Built for investigators who cannot afford enterprise pricing.

Within 48 hours, the attackers had moved $160 million through mixers, bridges, and intermediary wallets. By the time most people had read the news, the trail was already going cold.

Bybit had access to Chainalysis. Most people don't.

The Numbers Nobody Talks About

$6.7 billion. That's how much Lazarus Group alone has stolen in crypto since 2016. Not a rounding error — a sustained, state-sponsored extraction operation targeting an industry that still doesn't know how to respond when things go wrong.

In 2024, $2.2 billion was stolen across 303 incidents. In the first half of 2025, another $2.17 billion — already matching the entire previous year, with Bybit accounting for 68% of that alone.

These numbers are well-documented. What's less documented is what happens to the victims.

What Happens After a Hack

The playbook for a crypto hack victim goes like this:

You notice funds are missing. You open Etherscan. You see a transaction hash. You click through a few addresses and immediately hit a wall — dozens of intermediary wallets, no labels, no context, no idea where your money went.

You Google "how to trace stolen crypto." You find two categories of results: enterprise forensics platforms that start at $30,000 per year and require a sales call, and recovery scam services that will steal what little you have left.

You file a police report. The officer has no idea what a transaction hash is.

You accept the loss.

This is the experience of the overwhelming majority of crypto hack victims. Not the Bybits of the world — the individuals, the small protocols, the crypto law firms trying to build a case, the compliance analyst at a mid-size exchange without a Chainalysis contract.

The Tool Gap

The blockchain forensics market has a structural problem. The best tools are priced for governments and Tier-1 exchanges. Everything else is block explorers.

Chainalysis Reactor: $30,000–$500,000 per year. Sales call required. Six-week procurement cycle. Built for the FBI, IRS-CI, and Coinbase — not for you.

TRM Labs, Elliptic: same model, similar pricing.

Free alternatives: Etherscan labels (incomplete), Breadcrumbs (limited hops), manual spreadsheet work.

The gap between "block explorer" and "enterprise platform" is enormous. And it's where 99% of victims end up stuck.

Why This Gap Exists

The forensics industry built itself around compliance, not victims.

The business model of Chainalysis, TRM, and Elliptic is AML/KYC compliance for regulated institutions. Banks, exchanges, payment processors — entities with legal obligations to screen transactions and the budgets to pay for it.

Victims are not the customer. Recovery is not the product. The market signal that created these companies was regulatory pressure, not human suffering.

This isn't a criticism — it's a structural reality. When your customer is a compliance department with a six-figure budget, you build accordingly. You build for enterprise procurement, not for the person who just lost their life savings to a drainer at 2am.

What Actually Helps

I've lost crypto more than once. Drainers, compromised contracts, wallet exploits.

Each time, the bottleneck was the same: I could see the transaction, but I couldn't understand it. I could find the next address, but not the one after that. I could see that funds moved, but not where they ended up or who controlled the destination.

The tools that actually help in the first hours after a hack:

Entity resolution — knowing that 0xd90e2f925da726b50c4ed8d0fb90ad053324f31a is Tornado Cash, not an anonymous wallet. This changes everything. It tells you the trail is cold, or it tells you funds hit a labeled exchange that might freeze them.

Multi-hop tracing — following funds 4-6 hops deep automatically, not manually clicking through Etherscan. Attackers rely on victims losing the trail after 2-3 hops.

Exchange endpoint identification — knowing which exchange received the final deposit. This is the actionable output. An exchange can freeze funds if notified within hours. After that, the window closes.

Documentation — a structured report with transaction hashes, timestamps, hop-by-hop breakdown, and OFAC sanctions flags. Law enforcement can't act on a screenshot. They need a chain-of-custody document.

The 48-Hour Window

Here's what most people don't know: crypto theft is not always irreversible.

Tether (USDT) has a blacklist function. Major exchanges have compliance channels that respond to documented freeze requests. Law enforcement has seized billions in crypto using blockchain forensics.

But all of this requires speed. The window to intercept stolen funds is measured in hours, not days. Attackers know this — they fragment and bridge as fast as possible specifically to close that window before anyone can act.

In the $540,000 case documented recently on Reddit, an investigator traced funds across 5 hops, identified a consolidation wallet, and worked with law enforcement to freeze $540K before it could be moved. The key was moving within 24 hours of the theft.

Most victims don't move within 24 hours because they spend that time figuring out what happened, not acting on it.

What We Built

ChainHint started from a simple observation: the information needed to trace stolen crypto exists. The blockchain is public. The data is there. What's missing is a tool that makes it accessible without a $100,000 annual contract.

We built an incident response platform — not a compliance tool, not an intelligence database, but specifically the workflow you need in the hours after something goes wrong.

Paste an address. Get a fund flow graph across 11 chains. See which entities received funds. Get an AI-generated investigation report with MITRE ATT&CK classification and recommended next steps. Export as PDF for law enforcement.

44 million labeled addresses. 350,000 entities. From $79 per month.

It's not Chainalysis. It doesn't need to be. It needs to be the tool that exists between "block explorer" and "six-figure enterprise contract" — the one that gives a hack victim a fighting chance in the first 48 hours.

The Bigger Problem

$6.7 billion stolen. Hundreds of thousands of victims. A forensics industry priced for governments.

The gap isn't closing on its own. Enterprise tools will keep getting more sophisticated and more expensive. The regulatory use case will keep driving the market. Victims will keep accepting losses because they don't know what else to do.

The only way this changes is if accessible tools exist — tools that a crypto lawyer can afford, that a hack victim can use without a blockchain engineering degree, that a small exchange can run without a procurement department.

We're building one. There are others. It's not enough yet.

But the $6.7 billion number keeps growing, and the 48-hour window keeps closing, and somewhere right now someone is staring at a transaction hash and has no idea what to do next.

That's the problem.

ChainHint is a crypto incident response platform. 44M+ labeled addresses, 350K entities, 11 chains. From $79/month — chainhint.com

Drainers, compromised contract signatures, wallet exploits. Each time, the process was the same: panic, open a block explorer, stare at a wall of transaction hashes, and eventually accept the loss as a lesson. When I looked for tools to actually trace where the funds went — the only real options were Chainalysis, Elliptic, and TRM Labs. Enterprise platforms with enterprise price tags. $50,000 to $500,000 per year. Sales calls required. No self-serve.

That's why I built ChainHint.

This article is an honest comparison of ChainHint against Chainalysis — what each does well, where they differ, and who each tool is actually built for.

Why People Are Looking for a Chainalysis Alternative

Chainalysis is the undisputed leader in blockchain intelligence. Used by the FBI, IRS-CI, Europol, and the largest crypto exchanges in the world. Their data has contributed to the recovery of billions in stolen funds and landmark criminal prosecutions.

But Chainalysis is not built for you — the individual investigator, the crypto lawyer, the compliance analyst at a mid-size exchange, the DeFi protocol that just got exploited.

The problems are structural:

Price. Chainalysis Reactor (their investigation tool) starts at $30,000–$50,000/year for basic access. Full enterprise packages run $200,000–$500,000/year. There is no self-serve tier, no monthly plan, no free trial.

Access model. Everything goes through sales. You cannot sign up, enter a wallet address, and see results today. The sales cycle is measured in weeks.

Target customer. Chainalysis is optimized for government agencies and Tier-1 exchanges. Their onboarding, compliance requirements, and contract structures reflect that.

Result: The 99% of the market that can't afford enterprise pricing — individual investigators, crypto law firms, small exchanges, DeFi protocols, hack victims — has no real tool. They use free block explorers, manual spreadsheets, and guesswork.

ChainHint vs. Chainalysis: Direct Comparison

The core difference: Chainalysis is a government-grade intelligence platform. ChainHint is an investigation tool built for people who actually need to use it today, without a procurement department and a six-figure budget.

What ChainHint Actually Does

Fund Tracing Across 11 Chains

Paste any wallet address or transaction hash. ChainHint traces fund flows across Bitcoin and 10 EVM chains (Ethereum, BSC, Polygon, Arbitrum, Optimism, Base, Avalanche, Fantom, Linea, zkSync) — up to 6 hops deep, covering up to 2,000 addresses per trace on the Agency plan.

The result is an interactive graph showing exactly how funds moved: which intermediary wallets were used, which exchanges received deposits, whether mixers or bridges were involved, and which addresses are OFAC-sanctioned.

Fund flow graph: Bybit exploiter address distributing across 30+ paths — DODO (DEX) at hop 2, Uniswap consolidation at hop 4.

AI Investigation Reports

After tracing, ChainHint generates a structured AI investigation report automatically. No manual analysis required.

The report covers every incident with:

• Executive Summary — what happened, in plain language
• Timeline — chronological reconstruction of fund movement
• Fund Flow Summary — percentage breakdown by destination type (exchange, mixer, bridge, unknown)
• MITRE ATT&CK classification — attack technique identification (T1078 Key Compromise in the example above)
• Recommendations — actionable steps including specific addresses to freeze and legal framework for transaction reversal

This report is exportable as PDF — formatted for use in legal proceedings, law enforcement referrals, and internal compliance documentation.

Pricing That Makes Sense

Three tiers, no sales call required:

Free — 1 investigation, 50 addresses per trace, 3 hops, basic report. Enough to evaluate the tool on a real incident.

Investigator ($79/month) — Unlimited investigations, 500 addresses per trace, 4 hops, full AI reports, PDF export, risk scoring, timeline playback, address monitoring for 5 addresses. Built for independent investigators and law firms handling multiple cases per month.

Agency ($499/month) — 2,000 addresses per trace, 6 hops, 50 address monitoring slots, 10,000 API requests/day, priority support. Built for exchanges, compliance teams, and forensic agencies running continuous monitoring and large-scale investigations.

When to Use Chainalysis vs. ChainHint

Choose Chainalysis if:

• You are a government agency or law enforcement with a formal procurement process
• You need coverage across 40+ chains including obscure L2s and non-EVM networks
• You require FedRAMP compliance or government-specific data handling agreements
• You have a six-figure annual budget and a dedicated compliance team

Choose ChainHint if:

• You need to start an investigation today, not after a sales cycle
• You're an independent investigator, crypto lawyer, or compliance analyst
• You're a DeFi protocol or small exchange that just experienced an exploit
• You're a hack victim trying to understand where your funds went
• Your budget is $79–$499/month, not $50,000–$500,000/year

Real-World Use Cases

Crypto law firms use ChainHint to generate court-ready evidence packages — fund flow graphs and AI reports that document chain-of-custody for legal proceedings, without needing to outsource to expensive forensic consultants.

DeFi protocols post-exploit use ChainHint to trace attacker wallets immediately after an incident — identifying exchange endpoints to notify for voluntary freezes before funds are liquidated.

Individual investors who lost funds to drainers or rug pulls use ChainHint to document the incident for law enforcement referrals and insurance claims.

Compliance teams at mid-size exchanges use ChainHint for AML screening and transaction monitoring without the overhead of an enterprise platform contract.

Limitations to Know

Honest assessment — ChainHint is not Chainalysis.

Chain coverage: 11 chains vs. 40+. If you need obscure L2s or non-EVM networks beyond what we support, Chainalysis or TRM Labs will have better coverage.

Database size: 44M+ labeled addresses is significant, but Chainalysis has been building their dataset for over a decade with law enforcement data access we don't have.

Compliance certifications: Chainalysis is SOC 2 certified, FedRAMP authorized. ChainHint is SOC 2 in progress. If your organization requires these certifications contractually, plan accordingly.

Hop depth on free tier: 3 hops covers most basic investigations but complex money laundering chains can require 5–6 hops, available on Agency.

Getting Started

1. Go to chainhint.com
2. Create a free account — no credit card required
3. Paste any wallet address or transaction hash
4. Review the fund flow graph and AI report
5. Export as PDF if needed for legal or compliance use

The free tier gives you one complete investigation. Enough to see whether ChainHint solves your problem before committing to a paid plan.

ChainHint is a blockchain forensics platform built for investigators, lawyers, compliance teams, and crypto companies. 44M+ labeled addresses, 350K entities, 11 chains. From $0/month — chainhint.com